Modified 4.6 5.1.1~5.1.7 to be compatible with CentOS.

2019-08-06 06:03:15 +08:00 · 2019-08-06 06:03:15 +08:00 · 22ca3864d4
parent f8aa395b6e
commit 22ca3864d4
8 changed files with 272 additions and 49 deletions
--- a/bin/hardening/4.6_disable_usb_devices.sh
+++ b/bin/hardening/4.6_disable_usb_devices.sh
@ -1,11 +1,13 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening /
+# harbian audit 7/8/9/10 or CentOS Hardening 
+# Modify by: Samson-W (samson@hardenedlinux.org)
 #

 #
 # 4.6 Disable USB Devices
+# TODO test
 #

 set -e # One error, it's over
@ -18,8 +20,11 @@ PATTERN='ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{auth
 FILES_TO_SEARCH='/etc/udev/rules.d'
 FILE='/etc/udev/rules.d/CIS_4.6_usb_devices.conf'

-# This function will be called if the script status is on enabled / audit mode
-audit () {
+BLACKRULEPATTERN='^blacklist[[:blank:]].*usb-storage'
+BLACKRULE='blacklist usb-storage'
+BLACKCONFILE='/etc/modprobe.d/blacklist.conf'
+
+audit_debian () {
    SEARCH_RES=0
    for FILE_SEARCHED in $FILES_TO_SEARCH; do
        if [ $SEARCH_RES = 1 ]; then break; fi
@ -50,6 +55,22 @@ audit () {
    fi
 }

+audit_redhat () {
+	:
+}
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+	if [ $OS_RELEASE -eq 1 ]; then
+        audit_debian
+    elif [ $OS_RELEASE -eq 2 ]; then
+        audit_redhat
+    else
+        crit "Current OS is not support!"
+        FNRET=44
+    fi
+}
+
 # This function will be called if the script status is on enabled mode
 apply () {
    SEARCH_RES=0
--- a/bin/hardening/5.1.1_disable_nis.sh
+++ b/bin/hardening/5.1.1_disable_nis.sh
@ -1,7 +1,8 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian audit 7/8/9/10 or CentOS Hardening
+# Modify by: Samson-W (samson@hardenedlinux.org)
 #

 #
@ -14,10 +15,14 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=3

 PACKAGE='nis'
+PACKAGE_REDHAT='ypserv'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    is_pkg_installed $PACKAGE
+	if [ $OS_RELEASE -eq 2 ]; then
+		PACKAGE=$PACKAGE_REDHAT
+	fi
+	is_pkg_installed $PACKAGE
    if [ $FNRET = 0 ]; then
        crit "$PACKAGE is installed!"
    else
@ -28,11 +33,18 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PACKAGE=$PACKAGE_REDHAT
+	fi
    is_pkg_installed $PACKAGE
    if [ $FNRET = 0 ]; then
        crit "$PACKAGE is installed, purging it"
-        apt-get purge $PACKAGE -y
-        apt-get autoremove
+		if [ $OS_RELEASE -eq 2 ]; then
+			yum -y autoremove $PACKAGE
+		else
+        	apt-get purge $PACKAGE -y
+        	apt-get autoremove
+		fi
    else
        ok "$PACKAGE is absent"
    fi
--- a/bin/hardening/5.1.2_disable_rsh.sh
+++ b/bin/hardening/5.1.2_disable_rsh.sh
@ -1,7 +1,8 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian audit 7/8/9/10 or CentOS Hardening
+# Modify by: Samson-W (samson@hardenedlinux.org)
 #

 #
@ -15,11 +16,11 @@ HARDENING_LEVEL=2

 # Based on aptitude search '~Prsh-server'
 PACKAGES='rsh-server rsh-redone-server heimdal-servers'
+PACKAGE_REDHAT='rsh-server'
 FILE='/etc/inetd.conf'
 PATTERN='^(shell|login|exec)'

-# This function will be called if the script status is on enabled / audit mode
-audit () {
+audit_debian () {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed $PACKAGE
        if [ $FNRET = 0 ]; then
@ -41,8 +42,27 @@ audit () {
    done
 }

-# This function will be called if the script status is on enabled mode
-apply () {
+audit_redhat () {
+	is_pkg_installed $PACKAGE_REDHAT
+	if [ $FNRET = 0 ]; then
+         crit "$PACKAGE_REDHAT is installed!"
+	else
+		ok "$PACKAGE_REDHAT is absent"
+	fi
+}
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+	if [ $OS_RELEASE -eq 1 ]; then
+        audit_debian
+    elif [ $OS_RELEASE -eq 2 ]; then
+        audit_redhat
+    else
+        crit "Current OS is not support!"
+        FNRET=44
+    fi
+}
+
+apply_debian () {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed $PACKAGE
        if [ $FNRET = 0 ]; then
@ -70,6 +90,27 @@ apply () {
    done
 }

+apply_redhat () {
+	is_pkg_installed $PACKAGE_REDHAT
+    if [ $FNRET = 0 ]; then
+		crit "$$PACKAGE_REDHAT is installed, purging it"
+		yum -y remove $PACKAGE_REDHAT
+	else
+		ok "$PACKAGE_REDHAT is absent"
+	fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+	if [ $OS_RELEASE -eq 1 ]; then
+		apply_debian
+	elif [ $OS_RELEASE -eq 2 ]; then
+		apply_redhat
+	else
+		crit "Current OS is not support!"
+	fi
+}
+
 # This function will check config parameters required
 check_config() {
    :
--- a/bin/hardening/5.1.3_disable_rsh_client.sh
+++ b/bin/hardening/5.1.3_disable_rsh_client.sh
@ -1,7 +1,8 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian audit 7/8/9/10 or CentOS Hardening
+# Modify by: Samson-W (samson@hardenedlinux.org)
 #

 #
@ -18,28 +19,36 @@ PACKAGES='rsh-client rsh-redone-client heimdal-clients'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
-    for PACKAGE in $PACKAGES; do 
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
-            crit "$PACKAGE is installed"
-        else
-            ok "$PACKAGE is absent"
-        fi
-    done
+	if [ $OS_RELEASE -eq 2 ]; then
+		ok "Redhat or CentOS does not have this check, so PASS"
+	else 
+    	for PACKAGE in $PACKAGES; do 
+        	is_pkg_installed $PACKAGE
+        	if [ $FNRET = 0 ]; then
+            	crit "$PACKAGE is installed"
+        	else
+            	ok "$PACKAGE is absent"
+        	fi
+    	done
+	fi
 }

 # This function will be called if the script status is on enabled mode
 apply () {
-    for PACKAGE in $PACKAGES; do 
-        is_pkg_installed $PACKAGE
-        if [ $FNRET = 0 ]; then
-            warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
-        else
-            ok "$PACKAGE is absent"
-        fi
-    done
+	if [ $OS_RELEASE -eq 2 ]; then
+		ok "Redhat or CentOS does not have this check, so PASS"
+	else 
+    	for PACKAGE in $PACKAGES; do 
+        	is_pkg_installed $PACKAGE
+        	if [ $FNRET = 0 ]; then
+            	warn "$PACKAGE is installed, purging"
+            	apt-get purge $PACKAGE -y
+            	apt-get autoremove
+        	else
+            	ok "$PACKAGE is absent"
+        	fi
+    	done
+	fi
 }

 # This function will check config parameters required
--- a/bin/hardening/5.1.4_disable_talk.sh
+++ b/bin/hardening/5.1.4_disable_talk.sh
@ -1,7 +1,8 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian audit 7/8/9/10 or CentOS Hardening
+# Modify by: Samson-W (samson@hardenedlinux.org)
 #

 #
@ -16,9 +17,9 @@ HARDENING_LEVEL=2
 PACKAGES='inetutils-talkd talkd'
 FILE='/etc/inetd.conf'
 PATTERN='^(talk|ntalk)'
+PACKAGES_REDHAT='talk-server'

-# This function will be called if the script status is on enabled / audit mode
-audit () {
+audit_debian () {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed $PACKAGE
        if [ $FNRET = 0 ]; then
@ -40,8 +41,30 @@ audit () {
    done
 }

-# This function will be called if the script status is on enabled mode
-apply () {
+audit_redhat () {
+    for PACKAGE in $PACKAGES_REDHAT; do
+        is_pkg_installed $PACKAGE
+        if [ $FNRET = 0 ]; then
+            crit "$PACKAGE is installed"
+        else
+            ok "$PACKAGE is absent"
+        fi
+	done
+}
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+	if [ $OS_RELEASE -eq 1 ]; then
+		audit_debian
+	elif [ $OS_RELEASE -eq 2 ]; then
+		audit_redhat
+	else
+		crit "Current OS is not support!"
+		FNRET=44
+	fi
+}
+
+apply_debian () {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed $PACKAGE
        if [ $FNRET = 0 ]; then
@ -69,6 +92,28 @@ apply () {
    done
 }

+apply_redhat () {
+    for PACKAGE in $PACKAGES_REDHAT; do
+        is_pkg_installed $PACKAGE
+        if [ $FNRET = 0 ]; then
+            crit "$PACKAGE is installed, purging it"
+            yum remove $PACKAGE -y
+        else
+            ok "$PACKAGE is absent"
+        fi
+    done
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+	if [ $OS_RELEASE -eq 1 ]; then
+		apply_debian
+	elif [ $OS_RELEASE -eq 2 ]; then
+		apply_redhat
+	else
+		crit "Current OS is not support!"
+	fi
+}
 # This function will check config parameters required
 check_config() {
    :
--- a/bin/hardening/5.1.5_disable_talk_client.sh
+++ b/bin/hardening/5.1.5_disable_talk_client.sh
@ -1,7 +1,8 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian audit 7/8/9/10 or CentOS Hardening
+# Modify by: Samson-W (samson@hardenedlinux.org)
 #

 #
@ -14,9 +15,13 @@ set -u # One variable unset, it's over
 HARDENING_LEVEL=2

 PACKAGES='talk inetutils-talk'
+PACKAGES_REDHAT='talk'

 # This function will be called if the script status is on enabled / audit mode
 audit () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PACKAGES=$PACKAGES_REDHAT
+	fi
    for PACKAGE in $PACKAGES; do
        is_pkg_installed $PACKAGE
        if [ $FNRET = 0 ]; then
@ -29,12 +34,19 @@ audit () {

 # This function will be called if the script status is on enabled mode
 apply () {
+	if [ $OS_RELEASE -eq 2 ]; then
+		PACKAGES=$PACKAGES_REDHAT
+	fi
    for PACKAGE in $PACKAGES; do
        is_pkg_installed $PACKAGE
        if [ $FNRET = 0 ]; then
            warn "$PACKAGE is installed, purging"
-            apt-get purge $PACKAGE -y
-            apt-get autoremove
+			if [ $OS_RELEASE -eq 2 ]; then
+				yum remove $PACKAGE -y
+			else
+            	apt-get purge $PACKAGE -y
+            	apt-get autoremove
+			fi
        else
            ok "$PACKAGE is absent"
        fi
--- a/bin/hardening/5.1.6_disable_telnet_server.sh
+++ b/bin/hardening/5.1.6_disable_telnet_server.sh
@ -1,7 +1,8 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian audit 7/8/9/10 or CentOS Hardening
+# Modify by: Samson-W (samson@hardenedlinux.org)
 #

 #
@ -17,9 +18,9 @@ HARDENING_LEVEL=2
 PACKAGES='telnetd inetutils-telnetd telnetd-ssl krb5-telnetd heimdal-servers'
 FILE='/etc/inetd.conf'
 PATTERN='^telnet'
+PACKAGE_REDHAT='telnet-server'

-# This function will be called if the script status is on enabled / audit mode
-audit () {
+audit_debian () {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed $PACKAGE
        if [ $FNRET = 0 ]; then
@ -41,8 +42,28 @@ audit () {
    done
 }

-# This function will be called if the script status is on enabled mode
-apply () {
+audit_redhat () {
+	is_pkg_installed $PACKAGE_REDHAT
+	if [ $FNRET = 0 ]; then
+		crit "$PACKAGE_REDHAT is installed"
+	else
+		ok "$PACKAGE_REDHAT is absent"
+	fi
+}
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+	if [ $OS_RELEASE -eq 1 ]; then
+		audit_debian
+	elif [ $OS_RELEASE -eq 2 ]; then
+		audit_redhat
+	else
+		crit "Current OS is not support!"
+		FNRET=44
+	fi
+}
+
+apply_debian () {
    for PACKAGE in $PACKAGES; do
        is_pkg_installed $PACKAGE
        if [ $FNRET = 0 ]; then
@ -70,6 +91,27 @@ apply () {
    done
 }

+apply_redhat () {
+	is_pkg_installed $PACKAGE_REDHAT
+	if [ $FNRET = 0 ]; then
+		crit "$PACKAGE_REDHAT is installed, purging it"
+		yum remove $PACKAGE_REDHAT -y 
+	else
+		ok "$PACKAGE_REDHAT is absent"
+	fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+	if [ $OS_RELEASE -eq 1 ]; then
+		apply_debian
+	elif [ $OS_RELEASE -eq 2 ]; then
+		apply_redhat
+	else
+		crit "Current OS is not support!"
+	fi
+}
+
 # This function will check config parameters required
 check_config() {
    :
--- a/bin/hardening/5.1.7_disable_tftp_server.sh
+++ b/bin/hardening/5.1.7_disable_tftp_server.sh
@ -1,7 +1,8 @@
 #!/bin/bash

 #
-# harbian audit 7/8/9  Hardening
+# harbian audit 7/8/9/10 or CentOS Hardening
+# Modify by: Samson-W (samson@hardenedlinux.org)
 #

 #
@ -16,9 +17,9 @@ HARDENING_LEVEL=2
 PACKAGES='tftpd tftpd-hpa atftpd'
 FILE='/etc/inetd.conf'
 PATTERN='^tftp'
+PACKAGE_REDHAT='tftp-server'

-# This function will be called if the script status is on enabled / audit mode
-audit () {
+audit_debian () {
    for PACKAGE in $PACKAGES; do 
        is_pkg_installed $PACKAGE
        if [ $FNRET = 0 ]; then
@ -40,8 +41,28 @@ audit () {
    done
 }

-# This function will be called if the script status is on enabled mode
-apply () {
+audit_redhat () {
+	is_pkg_installed $PACKAGE_REDHAT
+	if [ $FNRET = 0 ]; then
+		crit "$PACKAGE_REDHAT is installed"
+	else
+		ok "$PACKAGE_REDHAT is absent"
+	fi
+}
+
+# This function will be called if the script status is on enabled / audit mode
+audit () {
+	if [ $OS_RELEASE -eq 1 ]; then
+		audit_debian
+	elif [ $OS_RELEASE -eq 2 ]; then
+		audit_redhat
+	else
+		crit "Current OS is not support!"
+		FNRET=44
+	fi
+}
+
+apply_debian () {
    for PACKAGE in $PACKAGES; do 
        is_pkg_installed $PACKAGE
        if [ $FNRET = 0 ]; then
@ -69,6 +90,26 @@ apply () {
    done
 }

+apply_redhat () {a
+	is_pkg_installed $PACKAGE_REDHAT
+	if [ $FNRET = 0 ]; then
+		crit "$PACKAGE_REDHAT is installed, purging it"
+		yum remove $PACKAGE_REDHAT -y 
+	else
+		ok "$PACKAGE_REDHAT is absent"
+	fi
+}
+
+# This function will be called if the script status is on enabled mode
+apply () {
+	if [ $OS_RELEASE -eq 1 ]; then
+		apply_debian
+	elif [ $OS_RELEASE -eq 2 ]; then
+		apply_redhat
+	else
+		crit "Current OS is not support!"
+	fi
+}
 # This function will check config parameters required
 check_config() {
    :